Author
Topic: How I'd Hack Your Weak Passwords (Read 9321 times)

Stop whatever you are doing and read this article. Then go fix your password issues. Don't wait till tomorrow or next week, do it now.

Quote

* You probably use the same password for lots of stuff right? * Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them. * However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might not be as well prepared. So those are the ones I'd work on. * So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible. * Once we've got several login+password pairings we can then go back and test them on targeted sites. * But wait? How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser's cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker's computer, and the speed of the hacker's Internet connection.

It still wouldn't work in most cases today... that's why banks have the authorization questions and pins in place, because they figured this out already. If you try to login from a computer that the user hasn't already used, you'll get one of a series of questions before you get in... questions that are based on the user, not the password. Then, if your bank is extremely paranoid like mine is, you'll have to enter a pin before you do anything after that.

I'm happy to believe my common password isn't human guessable, but I'd say it is bruteforce-able. I don't use it for any site which deal with money but still if someone guessed it there'd probably be a way to go from it to some of what I'd consider by more secure passwords.

It still wouldn't work in most cases today... that's why banks have the authorization questions and pins in place, because they figured this out already. If you try to login from a computer that the user hasn't already used, you'll get one of a series of questions before you get in... questions that are based on the user, not the password. Then, if your bank is extremely paranoid like mine is, you'll have to enter a pin before you do anything after that.

They have a point, but it's not as big of a deal as it used to be.

Sites like Paypal aren't as paranoid as your bank, but access to a site like that could be just as devastating for some people, considering Paypal accounts are usually tied to checking and/or credit card accounts, and may also contain a cash balance, sometimes a large one if you run a business that accepts payments through Paypal.

How about hijacking your domain name?

How about gaining access to your account at the site you have your car insurance, changing the address, phone number etc, and then canceling your insurance and asking for a refund on unused premiums?

There is a whole lot more than just access to your bank's website to worry about, and a lot of those sites are not as paranoid about security.

paypal has a wonderful and cheap hardware security key that generates one-time use pins that can be required for login. i wish my bank and credit card account was so secure.

Most people don't know about that hardware key.

AOL has a similar key that can protect your account and email, if you use their service. The key is required on accounts for all AOL employees (and they get it for free), and optional for their customers, who get charged for each one. And each screen name needs it's own key, so to fully protect an account containing 7 screen names, it would cost you $140 initially for setup and the hardware devices, and $1.95/month to continue using it. It's not something they advertised all that much, and if you want it you'd have to already know it exists through some other means of finding out about it (like reading this post) and then contacting their customer service and asking how to get one. (this is why adoption by their users has been considered a failure...nobody knows it's available)

My business bank account demands you login as normal and then to access account info you have to use a device that that looks like a calculator which you have to insert your debit card, use your card pin in the device and it creates a unique 8 digit code for that session. Very effective - and even puts me off using online banking because it is so convoluted!

My business bank account demands you login as normal and then to access account info you have to use a device that that looks like a calculator which you have to insert your debit card, use your card pin in the device and it creates a unique 8 digit code for that session. Very effective - and even puts me off using online banking because it is so convoluted!

I have that same system, from Barclays PLC Business Banking, and one for my personal accounts. It also annoys me enough that I have used online banking ONCE to check out the system, then decided it was quicker and easier to find a cash machine!

Outdated or not, old, or brand spanking new, this is still a good subject to touch upon from time to time.

People who are not exactly tech savvy will find this a very interesting read indeed and even those of us who do know what we are doing, sometimes need reminding to choose passwords people cant simply guess or bruteforce, and to stop us using the same passwords for everything.

A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.

A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.

And that’s without investing anything.

For easy to remember but stronger passwords, pass-phrases are great.

The scale there is logarithmic, so if you use a pass-phrase, each character beyond 6 multiplies the brute force time by 10. So:

Oh the Irony! My LifeHacker (Gawker) account was just compromised, and the login details were used to get into my (old) Gmail account and send spam to everyone in my contact list.

can you recover them? Recovery questions and whatnot? Or get a new password via the 'forgot your password?' system?

My login details were not changed. In fact, I think my account wasn't actually logged into by a person. I think my credentials were just used to authenticate a robot to grab my contact list and mass send spam to 10 people at a time (or whatever) without actually signing in to the Gmail website. But that's just a guess. I could be completely wrong about that.

But anyway, yeah, I just signed in, Google alerted me of suspicious activity and recommended to me that I should change my password, which I did. I also removed everybody from my contact list since I don't use that account anymore (for sending e-mail), in case it somehow gets compromised again.

Now I'm using a password manager and going crazy with the password generator. So far I've generated passwords using Alphanumerics + Special Characters that were anywhere from the "lowly" 20 to "insane" amount of 40 characters long. Now I just have to hope beyond hope that my password manager never loses it's database or becomes compromised.

^ That really sucks. I wish there was some way to hold people responsible for this kind of stuff accountable for their actions. I've never been really paranoid about my passwords... but I'm getting there. I just don't want to use a password generator/manager. I started along that path with 1Password, but just never got to the using it part. I do like the idea of using a passphrase, though.